This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to thefollowing package versions:

Ubuntu 6.06 LTS: python2.4-crypto 2.0.1+dfsg1-1ubuntu1.1

Ubuntu 7.10: python-crypto 2.0.1+dfsg1-2ubuntu1.1

Ubuntu 8.04 LTS: python-crypto 2.0.1+dfsg1-2.1ubuntu1.1

Ubuntu 8.10: python-crypto 2.0.1+dfsg1-2.3ubuntu0.1

In general, a standard system upgrade is sufficient to effect thenecessary changes.

Details follow:

Mike Wiacek discovered that the ARC2 implementation in Python Cryptodid not correctly check the key length. If a user or automated systemwere tricked into processing a malicious ARC2 stream, a remote attackercould execute arbitrary code or crash the application using Python Crypto,leading to a denial of service.